Read our first published paper on medRxiv
Scholara

Privacy Policy

Effective Date: February 6, 2026

Introduction

Welcome to Scholara, an automated systematic review and meta-analysis platform for academic research. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

We are committed to protecting your privacy and ensuring transparency about our data practices. Please read this Privacy Policy carefully. By using Scholara, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Account Data

When you create an account, we collect:

  • Email address
  • Full name
  • Password (securely hashed using bcrypt)
  • Profile image URL (optional)
  • OAuth authentication data from Google or GitHub (provider ID, email)
  • Two-factor authentication (2FA/TOTP) secrets (if enabled)
  • Email verification tokens and password reset tokens
  • Account timestamps (creation date, last updated, last login)
  • Invitation code redemption information

Research Data

When you use Scholara to conduct systematic reviews, we collect:

  • Review session names, descriptions, and research questions
  • PICO criteria (Population, Intervention, Comparator, Outcomes)
  • Search queries and MeSH terms
  • Article screening decisions and rationales
  • Extracted study data and statistical information
  • Quality assessment scores (Risk of Bias assessments)
  • Chat messages with AI assistants
  • Activity logs with timestamps

Important: We do not collect patient health information (PHI). All data processed relates to published research literature only.

Automatically Collected Information

We automatically collect certain technical information:

  • Session authentication tokens (JWT)
  • Browser local storage data (API response cache, PDF cache, UI preferences)
  • OAuth provider cookies during authentication flows

We do not use: Analytics cookies, advertising cookies, or tracking pixels.

How We Use Your Information

We use your information to:

  • Create and manage your account
  • Authenticate your identity and provide secure access
  • Process and store your systematic review projects
  • Provide AI-assisted research features (article screening, data extraction, risk of bias assessment)
  • Send transactional emails (account verification, password resets, important notifications)
  • Improve platform functionality and user experience
  • Ensure platform security and prevent fraud
  • Comply with legal obligations

Third-Party Services and Data Sharing

Scholara integrates with third-party services to provide its functionality. Your data may be shared with the following providers:

Anthropic (Claude AI)

Data shared: Research questions, article abstracts and full-text content for AI-assisted screening, data extraction, and risk of bias assessment.

OpenAI (GPT-4)

Data shared: Research questions, article content, and text for generating vector embeddings used in retrieval-augmented generation (RAG).

Google (Gemini AI)

Data shared: Article abstracts and screening data for consensus generation.

PubMed/NCBI

Data shared: Search queries for retrieving published research articles.

Resend

Data shared: Email addresses for sending transactional emails (account verification, password resets).

Railway

Data shared: All platform data (hosted PostgreSQL database infrastructure).

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Data is shared with third-party services solely to provide and improve platform functionality.

Cookies and Local Storage

Scholara uses minimal cookies and browser storage to function properly:

  • Session Cookie: NextAuth session cookie (JWT token) with 7-day expiry for authentication
  • Local Storage: API response cache, PDF document cache, and UI preferences
  • OAuth Cookies: Temporary cookies from Google/GitHub during OAuth login flows

We do not use analytics cookies, advertising cookies, or third-party tracking technologies. You can clear your browser's local storage and cookies at any time, but this may log you out and reset your UI preferences.

Data Security

We implement industry-standard security measures to protect your data:

  • Passwords are hashed using bcrypt before storage
  • JWT-based authentication with token expiry
  • Optional two-factor authentication (2FA/TOTP) support
  • SSL/TLS encrypted database connections
  • Email verification required for new accounts
  • Secure token-based password reset flow

While we strive to use commercially acceptable means to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Retention

We retain your personal information and research data for as long as your account is active or as needed to provide you services. You may request deletion of your account and associated data at any time (see "Your Rights" below).

After account deletion, some data may be retained in backup systems for up to 90 days for disaster recovery purposes, after which it is permanently deleted.

We may retain anonymized or aggregated data indefinitely for research and platform improvement purposes.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your account and associated data
  • Data Export: Export your research data in common formats (Excel, CSV, JSON)
  • Objection: Object to processing of your data for specific purposes
  • Restriction: Request restriction of processing under certain circumstances

To exercise any of these rights, please contact us using the information provided in the "Contact Information" section below. We will respond to your request within 30 days.

Children's Privacy

Scholara is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately, and we will delete such information.

International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your jurisdiction.

Our third-party service providers (Anthropic, OpenAI, Google, Railway) operate globally and may process data in multiple jurisdictions. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective date" at the top.

We encourage you to review this Privacy Policy periodically. Your continued use of Scholara after any changes indicates your acceptance of the updated policy.

Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Stematic Labs

Email: contact@stematic.ai